Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Write realtime search results to summary index

manjosk8
Engager
‎08-24-2012 06:37 AM

Hi,

I am trying to figure out how to write real time search results to summary index.
Since I cannot create real time search that populates summary index from Manager->Searches and reports view because Splunk hides me an summary index option if I enter value rt for Start time and End time fields, I tried different approach using collect method.

On end of my initial search string I added following statements:

| addinfo | collect run_in_preview=false index=summary_index addtime=t marker="report=\"test\""

and Splunk writes only results to summary index when I finalize real time search, which does not help.

I also tried to run a search using collect run_in_preview=true parameter, but then Splunk writes same events multiple times to summary index, I guess on each real time search refresh.

If you have any suggestions or ideas please help.

Thanks in advance!

Tags (1)
Reply

dolivasoh
Contributor
‎12-29-2014 11:44 AM

Try setting it up as an alert to run real-time over 1 minute and send results to the summary index. If that option isn't available to you, you'll need to check your permissions.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎11-13-2014 11:48 AM

Why would you want to write real-time results to a summary index? Doesn't that defeat the purpose of a summary index? What are you trying to accomplish with the summary index data? Perhaps that would help formulate a solution to your problem.

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...